Security: Add image validation and filename sanitization

[vladiant]

Summary

Hardens the upload pipeline against malicious file uploads and path-traversal attacks. Bumps version to 1.2.2.

Problem

• Uploaded files were passed directly to Pillow without validation, exposing the service to decompression bombs, truncated-file attacks, and other Pillow CVEs.
• User-supplied filenames were used as-is (only falling back to "unnamed" if empty), allowing path traversal (../../../etc/passwd), null-byte injection, and hidden-file creation.

Changes

File	What changed
image_validator.py	New. Validates image bytes with verify() + load(), enforces format allowlist (JPEG/PNG/WEBP/TIFF), blocks decompression bombs (100MP limit).
pillow_processor.py	Sets ImageFile.LOAD_TRUNCATED_IMAGES = False explicitly.
sanitize.py	New. sanitize_filename() strips path traversal, null bytes, control chars, hidden-file dots; normalizes Unicode; truncates to 255 chars.
images.py	Calls validate_image_bytes() and sanitize_filename() on upload.
local_image_storage.py	Defence-in-depth: extracts basename, resolves path, validates it stays inside base directory.
test_image_validator.py	New. 10 tests: valid/invalid images, truncated, wrong format, crafted headers, decompression bombs.
test_sanitize.py	New. 18 tests: traversal (Unix/Windows), null bytes, hidden files, Unicode, long names.
CHANGELOG.md	New [1.2.2] section under Security.
pyproject.toml	Version bump 1.2.1 → 1.2.2.

Validation

• ruff check — clean
• mypy src/ — clean (45 files)
• pytest -v — 76/76 passed

Version bump

PATCH (1.2.1 → 1.2.2) — security fixes only, no API changes.